Log in

No account? Create an account
entries friends calendar profile my webpage Previous Previous Next Next
*sigh* - Tina Marie's Ramblings
Red hair and black leather, my favorite colour scheme...
I'm trapped in a 2-day security seminar.

We've spent 1.5 days on "what's a buffer overflow".

I'm bored.
4 comments or Leave a comment
emt420 From: emt420 Date: April 2nd, 2004 09:19 am (UTC) (Link)
Wish we could send you text messages. That's the only way I survived my EMS dispatch course without gnawing off my limbs.
skywhisperer From: skywhisperer Date: April 2nd, 2004 10:58 am (UTC) (Link)
Yeah. I had text messaging on my phone for a year, never got a message, it was costing me $7 a month, so I turned it off....
alioth1 From: alioth1 Date: April 3rd, 2004 02:05 am (UTC) (Link)


$7 a month for texting!? It's essentially protocol overhead! They have the gall to charge 10p per text here, but that's not bad if you just send the occasional one (and it means your phone is also a pager). I assume you're on a GSM provider not one of these funky CDMA type thingies.

I'm so tempted to buy a huge block of text messages on an Internet service, write a small J2ME app to connect to my server, then offer text over GPRS for 3p per text.

Texting is useful because it's discreet: if you're on the bus or the train and your phone's on vibrate you don't annoy other passengers with "HI, I'M ON THE TRAIN!!!"

As far as boring lectures go, since I have internet access from my phone, I can just discreetly go onto IRC :-)
alioth1 From: alioth1 Date: April 3rd, 2004 02:13 am (UTC) (Link)

I wonder...

I wonder if they'll mention how developing for Microsoft operating systems is much more prone to bugs, because of the over-complex and crufty Win32 API. For instance, if you want to listen to a socket, a named pipe and a serial port, Windows forces you to use three different API calls and methods to do it (select() on sockets, PeekNamedPipe on named pipes - you essentially are forced to poll named pipes if you don't want to block - and something else yet again for the serial port.) On Unix flavoured things, select() works for everything you can get a file descriptor on (which is everything). On Windows, if you want a program to read and write configuration data, you have to write extra code to meddle with the registry, instead of using the same read/write functions you would with a regular file. On Windows, if you have a barcode scanner which is a USB human interface device, and a barcode scanner which is a serial port device, you must write different code to handle both types of barcode scanner - under Unix, you essentially just tell it to look at /dev/uhid0 instead of /dev/tty00.

The Windows API feels congealed, not designed. _This_ is why I dislike Windows so much, it's incredibly untidy. MS could have got rid of all the inherited DOS-like cruft when they made Windows NT which was after all not backward-compatible with DOS except by emulation, but it seems like they didn't know any better. Applications are therefore more complex than they need to be, therefore a higher risk of bugs. If you have a security hole in your socket handling code, because you have different code to handle named pipes and serial ports, fixing your socket reader won't fix the others. Which could have subtle flaws of their own.

Then you can get to things like OpenBSD, which has buffer overflow prevention built into the kernel (W^X) so if a buggy app has an unchecked buffer, privilege escalation exploits can't be written against it.
4 comments or Leave a comment